 Hello. Hi. OK, I hope everybody's got lunch. And we'll start and move into the second half of the day, which is the way we broke it up is that the first half of the morning is the more design-focused talks. And the second half of the day is slightly more technical. We go into a little bit more detail on specific techniques that you can use. So Akash has been desperately trying to erase the phrase, that web security guy from the internet with little success. But he's that web security guy. And he's going to talk about how you can tell over the next 45 minutes whether you're designing an insecure site. So he's a co-founder and the manager for the OWASP and the open security community, which is called NULL. So perhaps if you're interested in issues around security, connect with him afterwards as well. Also, if you were sitting at the back, there's plenty of space up front if you'd like. You're more than welcome to come up in the front and on the sides. Hi. Good afternoon. Good afternoon. See, I have a tough job. You just had good lunch. So I need you to be awake, at least vocal. So you can keep your eyes closed. And whenever I'm shouting a bit, you can just reply then. Can you do that? Yes, no, maybe. Yes, no, maybe. OK, the first row is awake mostly because these are people I know and I've dragged them to the talk. I don't want them waiting outside. OK, so I'm going to talk about how to tell if you're designing an insecure website. First of all, the first thing you should know about, it's not a how-to. The reason is because apparently Hasgi doesn't allow how-to sessions. It's very clearly written on the proposal page of Meta Refresh. I got in. OK, my proposal title started with a how-to and I still got in. So maybe they're not paying that much attention. And does that bother you? Oh, yes. How many? Can you raise your hands? Whoa. So the only reason it's there is because I wanted to see if you're awake. But there is a subtle point to that. My talk is less about design from a designer's point of view, but more about how I experience it and how it comes in my way because I do application security day in and day out and how it always comes in my way from creating secure products. And if you've heard this before, security versus usability and business case and all of that, that's fine. Like grammar irks you. Like my friend Hasgi just said, it irks you when you see your being used. Sometimes design comes in the way of security. My point is that it need not be. It's possible that using design, you can develop in a more secure manner or it could be more secure for your end users. Whatever the objectives are, what we'll do, we'll go through it and we'll see. First, I have to tell you a joke. This is the second thing I have to make sure that you stay awake. So we all have our favorite websites. Some websites that we maybe log into every day. I use Reddit a lot. I'm sure a bunch of you do that. Or maybe Facebook, which is very common because all your friends are there. So I had a favorite website. It used to be called Dig. Anyone's heard of Dig here? Wow, cool. They are using their hands on their own, great. So that's behavioral, whatever, at work. So I used to go to Dig and then I discovered something else. Reddit or maybe something else. There's pop URLs. And I started going to that website. So it had been three months, three and a half, four months. And I remembered, oh, I used to go to Dig and there were some cool links there. Let me go and see what it up to. So I type dig.com in my browser. I go there. And suddenly this pop-up opens. We've all seen pop-ups. They're very irritating. And the pop-up is the website talking to me. And Dig is like, so where have you been? Give me all these passive aggressive vibes. I'm like, OK, what? Yeah, I've been around. I've been busy. I've been going to other websites. And OK, are those websites nicer to look at? Do they load faster? Do they have better typography? And I'm not really sure what is happening. I don't expect the websites to have attitude. They're just static things, even when they're dynamic. But that is an example of an insecure website. Thank you so much. Now let's talk about what the thing is. First of all, as a disclaimer, I always put disclaimers for HASGI conferences because you tend to be very opinionated. And I tend to be a little controversial. I keep teasing people. So the disclaimer comes first. I understand things about insecure websites. I don't really understand design UI, UX that much. And the case in point, I was sitting on the second row. And during this talk about overexposed, this person was, I think Sawik was mentioning how it's, he changes the font a bit and it looks nicer. And he was talking about Saref and Sansaref. And I turn to Meenal, a good friend who really likes to talk about typography and other things. So what is the difference between Sans and Sansaref? And he says, what do you think is the difference? I thought Saref is where you have cursive writing. And Sansaref is when you don't have cursive writing. Apparently, that's not true. Anyone else who doesn't know the difference? Anyone else like me? OK, wrong order. Oh, there are two people. Great. Four. So apparently, Saref is the one which has a dash above the L and the P and all that. And in Sansaref, that's not the case. And Times New Roman is a really bad font to use online. That's what I got of that. So clear disclaimer, you understand what I'm saying? This is not a how-to. This is more like a series of thoughts. Any more spelling mistakes are mine. It's not intentional. So this points it out. What I'm going to talk about is effective design. I will tell you what I think is effective design. It could be UI, UX for me. It's the same. Sorry, I'm not from this background. So designer, UI expert, UX experts, all the three things are same to me. Obviously, it's not. I understand there are differences, but I personally don't care. When I see Clear Trip, I see that's a really nicely done website. And I definitely appreciate it compared to Make My Trip or Go Ibibo or one of those. But in the end, if Go Ibibo or some other website is offering a cheaper flight, so for me, that's effective design. So this is what I think effective design is. You may disagree with me, but we'll take the disagreement outside after the talk is over. Something that compels a user to do what the designer wanted. It may not be perfect. It may have missed a lot of edge cases. It may have missed the main point. But I think, from the end user point of view, I'm a consumer of design. I don't produce design, but I'm a consumer. It's like, when I showed the slides to him, and I was like, can you fix the typography? And he looked at two slides, and he was like, sorry, dude. This can't be done. But whatever. So I'm saying that something that compels a user to do what the designer wanted. Let's stay with that thought. I think Gmail is a great example of effective design. And I'll tell you why. Personally, I did not know that you could arrange males in labels rather than physical folders. Gmail taught me that. Maybe it was not a new idea. It was not unique to Gmail. But that's where I experienced it. So same thought that effective design is Gmail. But let's look at a closer look at an example. Can you notice? I don't know if you can read this. Obviously, last benches can't. But the URL seems different. Can you guys read that? Yes, no, maybe. So is it a phishing attack or an effective design? In this case, this is just a proof of concept for a phishing attack. Why? OK, add a nice animation. It's pointing. The arrow is pointing to the URL. What I'm saying is a well-executed phishing attack. I'll explain what phishing attack is a couple of times later, is an example of effective design. What is the objective of the attack to steal credentials or do something else, maybe post on your wall or something? But it is an effective design because the way web design works and how consumers consume it, there are a few things which are common here. We're looking at a just trying to see what makes it a phishing attack. First of all, there's a favicon, which looks like that red folder, which is like a Gmail thing. And when you drag it and save it in your bookmarks, it looks like the Gmail favicon. And whenever you bookmark something, you will not check the URL it is going to every time. Makes sense because that's why you bookmark it to save time? Yes, no, maybe? Cool. So this is phishing with a fur, not F, fur. There's a whole history behind why it's phishing with a fur because of freaking and all that. We'll not get into that. I believe from my personal experience, there are some features of effective design. I might have missed a lot, but let me stick to these for now. There are some assumptions about how the site should be laid out, what it should contain, based on some things like heat maps, and then a bunch of other data-driven things that Google does very well with your A&B testing and other things. There is always call to action. Sometimes it's a green, big button. Nowadays, you have these new frameworks for websites called Zerb Foundation and Bootstrap and all the others. And they tell you it's a feature that they have nice responsive buttons, because buttons which go big and small based on the size of the screen. There are some visual cues, right? And this is more relevant to anyone who does shopping online. There are a bunch of websites which very proudly proclaim why they should be trusted, right? Because they have logos about better business bureau, eTrust, nTrust, bunch of things. In the end, it's just an image and it's a visual cue. How does phishing work? Most people, now not the people sitting in this room, okay? Most people don't waste an entire Friday sitting in a room talking about UI and UX. They're mostly in office right now. They will finish at five and go drink or something, right? So you are not most people. Think about people in your lives who are not into tech. Your parents, maybe your siblings. Most people do not pay attention to what is in the address bar, right? So I completely agree with Savik's point about having really good looking URLs, but you know what? Most people don't really care. It's not an attitude thing. It's not an attitude thing. It's like, I remember email addresses better than full names. Why? Because growing up, that just made sense. Bunch of you, I wouldn't know your first name but I would know your Twitter ID, right? So that's what happens. This is the function of the company you keep. The second thing is people love to fill login forms. They see a login form and they know, I know this. Yeah, because this is what an address bar can really look like. Wow, your eyes will bleed. I'm telling you, your eyes will bleed. It starts with scheme, colon, two slashes. Then you can actually have a login, colon, password at host name or host address, which means a website name or an IP address, colon, port number, okay? And bunch of other things. Hierarchical path to the resource, then question mark and your parameters, and all of you who are into like backbone.js and all, your fragment ID, right? That's what you end up doing. How do you bookmark stuff and all? I've just taken this from the browser security handbook. So if you look at the URL for the reference, which is HTTP colon slash slash, a domain name slash, a hierarchical path to the resource, most likely it's multiple folders, but it need not be, right? You have your routers and everything else. So I was trying to research for this talk and I kind of figured out this is an important book for anyone who's doing web design and talking about usability. There used to be this guy, Jacob Nielsen or something. He had a blog called Use It. Right? Yeah, I don't know if he's like in fashion anymore or not because there are a bunch of other people, right? Because apparently Amazon says this is like a more popular book. It's a very cool title. Don't make me think. And that big browser button, you know, call to action and conveniently please cursor. Maybe this is my thought. Don't think equals impulsive. Why would that be? Because impulsive is acting or done without forethought. Young, impulsive teenagers, that was the original meaning I got from Google, but it could be shoppers. A lot about usability, you know, a lot of research is driven by how can we get people to shop more? Not leave them, you know, where they're filled in their shopping cart but they don't do the last thing. A lot of it is about landing pages and conversion rates, right? So the design is driving people to be impulsive. They're saying effective design is what is the conversion rate? What is data-driven design all about, right? What is A&B testing all about? But people rely on visual cues. We come back to fishing. So if anyone doesn't know what it is, it's a made up word basically. Okay, it's not a dictionary word. Is the act of attempting to acquire information such as user names, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication? It seems like a, you know, a bureaucrat has written this definition. The part that I want you to focus on, very nicely I've put it in yellow and I made the font bigger, is trust, okay? Because I believe effective design in the end is about generating trust, okay? It's like if you have a post on Craigslist about the next design wave, most of you will not take it seriously because it's on Craigslist. You've seen the UI of Craigslist, right? But if the same thing is in a Q&A format in Quora, some of you might actually, you know, upvote it. Yeah, you're being fooled. It's trust. People trust big, shiny locks. They do, right? That's why you're laughing right now. Trust no one. Do you know which? What? X-Files. Okay. The X-Files, yeah. They show about alien abduction and all that. It has the best piece of advice, trust no one. And there are a bunch of people who I work with regularly and they just get fed up of me saying that trust no one, be paranoid, do security, all of that and they're like, yeah, whatever, right? But that's what I'm trying to say. We cannot escape from getting better design. We cannot escape from people, you know, it'd be easy for people to spend more money buying stuff, but can we do it in a manner which is secure? I think I'll finish early. I just want to give you two examples where this trust collides with effective design. And it makes a really bad case for UI and UX. The first example is a password reset or a password change feature in websites. Okay. And again, the case I'm going to make is why I think it's bad for bad UI or UX. Maybe that's not the case. Please correct me if I'm wrong. And then the second thing which I'll definitely look at is an SSL-enabled website. Okay, question for you guys. Should it be an SSL-enabled website or it should be ASSL? Why? It's an S. See, another thing I learned today. Today I learned. So in an ideal world, when there were no criminals, there was nobody trying to steal your stuff, passwords wouldn't matter, right? Nobody was trying to steal, so why would you need passwords? But in an ideal world, how a password reset thing would work? You click on enter email to reset password or actually give me my password. It'll give you your super secret password. Why does it not work like that? Okay, that's what we're going to look at. When you click that button, what really happened? Okay. There was some code, some source code, some JavaScript, some HTML loaded in the browser. That's why the button got generated, right? That sent an email to the server. Or maybe it filled a form, it did something, right? It moved from the browser to the server, which is on fire, I don't know why. That's the graphic I have for you. Now, the server did a bunch of things. Maybe it was, you know, if a sensible programmer there, someone like you, it checked if the email was actually in the database, it generated a password. It did something all of that, okay? What is wrong with this picture? Why is it bad for UI and UX? Okay. Intern, bad for security. Because the server doesn't know it is you who filled the form. The email ID that you filled in, that it actually belongs to you. You understand? Because you don't have the password, you've not authenticated with the server. You just got a form, you filled it. Could be anyone's email ID. Like someone gave an example of IRCTC, where you can get the username in the error message, if you put in some email ID. Or the other way around, okay? Now, this is the difficult part. How is this securely solved? Using out of band communication. What does that mean? This communication is not based on the web, you know, the client server thing that you have just done. Most likely, the core loaded in the browser did something to the server. And the web server will email you a link, hoping that the email address is in your hands. The web server is gonna trust that information. It is going to email you that link. Now, the email is lying on another server. You will have to log into your email, right? You have to click on the link and that link will take you to the server. Now, the server has the unique, whatever identification it had, because it knows that it sent the link to you. Based on that, it confirms, the link is proper and it allows you to reset the password, okay? That's how it happens, right? Now, try explaining this to your dad, okay? My dad, the way he uses the computer, okay? He uses one finger to type. And when he's like typing, he does not hold on the mouse. Okay, so he'll find the keys, make a mistake, find back space and does not know what tab is, so doesn't go to the next field. He then searches for the mouse, holds the mouse, searches for the cursor on the screen, then finds the exact spot where if he clicks, it'll be in the next field and he does all this. You completely broke whatever he has learned about it, okay? Which is why it's bad for you and UX. But, there's another twist. All of this was sent back and received in clear text. Clear text is text that you can read, right? That's it, nothing else. What's wrong with that? This is a hypothetical list of stuff that is between you in the browser and the server, okay? You could be on a wireless network. If you, it was sent in clear text, all of you who are in the same wireless network, it is theoretically possible, it's practically very easy to see what data was being sent. There could be a helpful IT admin monitoring for bad traffic. You know, bad traffic is in code, so you don't know what they're monitoring for. There could be an ISP gateway with helpful IT admin. There could be a country level gateway with helpful government IT admin. Again, monitoring for bad traffic. You know, think of a bunch of countries who've done this before. There could be a server admin monitoring and you don't know who else. How many hops are there? What routers were involved? All of that. So, there are a bunch of things that can happen and this is all sent in clear text. Just so, before we continue, I'm gonna recap what we have talked about. Because I kind of forgot when I was doing this, you know, where I was. Effective design inspires trust. People trust based on strong visual cues. These cues can be faked. I gave you an example of a phishing page. Ideally don't trust anyone. You guys won't listen to me. If we use common sense approach to generating a new password, we will need to trust multiple intermediaries. I always wanted to use that word. So it will pronounce. Right? So this is what we have looked at so far and we now know that it is going in clear text. It is, you know, may be readable by a bunch of people who may not be very friendly to you. This is a problem worthy of a philosopher actor. So how do we create secure websites? Nobody gets the mean? I thought it was funny. SSL. Ever heard of this? SSL? HTTPS? Yes, some people are nodding. Okay. Sorry. Sorry about that. There was a time when people used to think that all problems in application security will be magically solved by SSL, okay? Did it not turn red or something? Oh, okay. I put that animation in it. Okay, maybe, maybe not. Let's see. This is what SSL looks like to a normal user using a browser, okay? This is not my slide. I've taken it from a place. I've referenced it. If you were using Chrome, that shiny lock will be on the left. If you're using i9, it'll be on the right. Opera has a different place. Safari has a different place. And I'm sure there are a bunch of browsers missing here. And I'm not even looking at the mobile browsers. Okay. This is supposed to, you know, give you some security. But the way, and I'm not saying, you know, designers are at fault or something. But the way it looks like to an end user, these things appear everywhere. And there have been attacks against SSL where they have just created a shiny lock, put it on as part of the webpage. They can't manipulate what's on the, you know, the Chrome or the browser, right? But they can put it on the webpage and people trust those things. There are two things the SSL's supposed to do. Okay. Without being too technical, ideally nobody can see your message. Therefore, they can't change it because they can't really see what is in clear text. And are you talking to the right server? Your encryption doesn't really count for anything if it is reaching the wrong server because there it is going to get decrypted. And then there is this hierarchy. You are supposed to trust some intermediate CAs. CAs are certification authorities. Let's just leave it at that. You are supposed to trust some third parties and who have been assigned and who have done business with the root CAs. So root CAs have a business. They have sold something to these middle guys and you're supposed to trust them to tell you that the server you're talking to is your actual bank. What could go wrong? Bad things can happen. There are a bunch of examples. The point is hundreds of certificates for different websites have been generated which your browser will completely accept as genuine, authentic, and you wouldn't get the dreadful red page warning that are you sure you want to continue. I'm sure you guys have seen that, right? This is what a rogue SSL certificate can look like. This was done as part of a research project. These guys created a certificate and they called it, I broke the internet and all I got was this T-shirt. They never released this because they thought that this was too sensitive to be released but this research is available. It'll be part of the slides so you can have a look. So then, you know how businesses respond to a challenge. They came up with something called EVSSL, Extended Validation SSL. They would only give this SSL certificate to a genuine business, right? That's what they're saying. Makes you wonder who were they selling it to earlier? This is, there's a lawyer involved and he's gonna make sure that the business address is checked or whatever but that's what it came to. But look what happened to that. This is how it appears to an end user. If you're in IE, the whole bar is green because PayPal is using an EV certificate, Extended Validation, on Chrome and Firefox, just a small part in the left is green. But end users mostly don't notice address bars, right? They're not even looking at this. Firefox also does one other thing, it's a subtle thing, I don't know if you noticed. If you notice the actual domain part is like darker then where it says, H-E-T-B-E-S, slash, slash, W-W-W. Okay, so that is trying to show you the actual domain like people really cared about it. I don't have time to cover this. I actually promised three things. So maybe next year. I don't have the answers for you. I really don't have the answers, okay? I don't understand design that much. But I'm guessing, I'm hoping that being in this room, talking to this audience, you guys will look at these things as well, right? Because a secure, safe internet basically means more business for you, right, in the end. And I don't understand the design part of it, okay? I understand security. I also understand that people want to use these things without worrying about security, insecurity, how safe, how paranoid. They don't care about all that, okay? The idea is to get your attention and see if these problems can be solved using design. Because it's a very powerful tool. I think before Clear Trip, we didn't really have good travel websites. It's actually really beautiful to look at, right? Even the way a ticket gets printed and all that. That's all I have, questions? I'm on time. Questions? Okay, till someone figures out they want to ask a question. I just want to tell you a nice story. I went to a KSRTC booking office. KSRTC is your bus roadways. And there was this really nice person sitting there managing the ticket thing. He had Chrome open on his computer. I was really impressed. And this is like three years back. So I said I have to book a ticket. You know what he did? In the Chrome bar, he typed in www.google.com. Then pressed enter. Then it went to google.com. Actually went to code.in. And then it showed the search bar. There, in all caps, he typed KSRTC. Then pressed enter. And then clicked on the first link, search link returned to go to the KSRTC website. The KSRTC website is ksrdc.co.in. That's what normal people do. Questions? Was it so fabulous that there were questions? All the plants, ask your question now. Yeah, it's not really a question, but it's an anecdote. You know how the modern browsers have that they have different colors for the security locks? Like it can be red or green or yellow. I got the most concerned call from my mom when she was on Gmail once. And it was yellow. And because it was loading assets from an insecure website, she was like, oh my God, my website's hacked, my computer's hacked, oh God. And I was like, oh, she freaked out and she took a computer into a hardware store. Boy, it is just like, I tried to explain to it, not something to worry about. I didn't have any luck. But that's the problem, right? You can say don't worry about it this time. But next time it could be a genuine threat. It just confuses normal users. Yeah, sorry. Any other questions? Hi Akash, what do you think is the security requirement for intranet applications within the corporate? Which are not accessed by public, yeah. How much importance should we give there and how much we should not? If you're asking me, they should be built with the same security requirements as you would build any other kind of application because intranets tend to store a lot of sensitive data. And in fact, I'm doing a training next week where one of the tasks will be to get access to an intranet application from outside and steal data. Okay, so if you're asking me, you should definitely consider it at par. Anything else? This isn't a question, but his anecdote reminded me of another thing. So I used to work at Prakto, which is a medical startup here based in Bangalore. And one of the changes that the design team did there was that in the search bar of the website, of the internal application that the doctors and nurses actually use, in the search box, they put in a hint text that said search, okay. And the next day we received 13 phone calls from clinics across the country and there's already something written inside the box. How do I search? Yes. So if people think that, you know, I mean, people, a lot of people come up and discuss things like, you know, there should be hint text and labels and stuff. Yeah, and if it's not even funny, it's like my parents just get anxious when they're unable to figure out. It causes them so much anxiety like they have broken something there. Anything else? Oh yeah, there's a question there, the back. Hello. Hi, my name is Surudham a designer. We're discussing a problem to which the way I see it, you're saying it has a design solution or does it have a tech solution? What is the point of your talk? The point is that without really good design, none of the tech solutions will work. I don't have an answer that what would be a good design, but I'm saying the current situation is that we have a lot of security issues, but the design isn't really helping us out. Does that answer that? I don't really follow. I don't have a- I'm saying even phishing websites are made as well as pretty as say regular websites. No, they're just copying the entire source code and then they're set up. So from a user standpoint, both look equally secure, right? So from a design perspective, they've got it covered. So shouldn't the tech get stronger for authentic websites? Let me put it this way. I gave you an example of a phishing website of Gmail, where in the address bar, it clearly shows that it's not Gmail, right? Now the extended validation SSL, which is a solution for SSL's failings is doing everything in its power to put all of the visual cues inside the address bar. I don't believe that's a good solution. I don't know what is a good solution, but I don't believe that's a good solution because people, normal people are not paying attention to the address bar in the first place. That's what I'm trying to say. And this is the exact discussion that I'm hoping for, right? Answers from you guys. All right, thanks. Hi, do you think if browsers actually become smart enough to recognize the comparison between the actual page and the URL is different? So if a browser recognizes a Gmail page and sees the URL is different from a Gmail authenticated URL, which it has in the system, it can create an alert for it, not show the website. See, the problem will not be solved. The problem will not be solved by the browser vendors because if they try to start reading what is happening and start comparing and sending it to somewhere else, it'll become a huge privacy issue. No, no, no, no. You have your Microsoft site advisor and bunch of, sorry, MacAfee site advisor trying to do something similar. The other thing like Chrome can do, Google Chrome does is by default for some of the websites, it has the certificates already in the browser, right? So by default, you can't go wrong, you can't go to a wrong server. The idea is that let's just take it away from the user to choose that. Because they want to go to PayPal. I think you did not get, maybe I was not proper in that. I'm sorry. Maybe I was not proper in explaining what I was trying to say was, so normally what browsers nowadays show is a snapshot in the homepage where you can actually see a small image of their site, which you normally go to. Yeah. So what a browser maybe can do is keep a snapshot and let's say as an image, and whereas phishing site loads up, so the URL will be different, as you said. So take a snapshot of that phishing site and compare if there's some basic similarity algorithms can run on it, and compare that a similar UI, but the source, the URL resource, is actually not the right one. It can say a problem is there. Yeah, so where will the comparison data basically kept? In the browser. Okay, that's a solution. Maybe, I don't know if that's viable. It's just. But that makes sense. What you're saying makes sense, yeah. I think there was a question here. So one of the things is, I think there's a design problem to security, but I think there's a problem from the security side as well, in the sense that it's very hard for a small startup to make their website reliably secure. I think there are technical challenges to get SSL right, the whole mix content warnings and all that stuff. I think it's kind of, it's easy, but it's not that easy that anyone can be secure by default. I don't like businesses realize that their end users don't really care. So for startups, it's very important where they will put their money in, right? And at a business level, the problem is solved. They don't care. Like how banks solve it, they know that 10% or 15% of the transaction that will happen, there'll be fraud in it. So they buy insurance for that. Okay, but I think there still needs to be something to make it really easy for startups. Cheaper, faster, simpler to implement. You should start coming to null. We do a lot of information security stuff for free. Startups can benefit from that. How am I doing on time? Hello. It's not a question really, but I think the bigger problem here is a lot of things that we do in day-to-day life are dependent on convention. And the thing is all with these security issues like the green bar or the lock symbol and all, right? There is no standard convention on where they would appear. Like every browser manufacturer would have it in different places or they will indicate it differently. So the way we have web standards, if we have some browser security standards, then probably it will be easier for us. So the good news is they have already started doing that. Especially the teams at Firefox and Chrome, they are talking about these things on a regular basis. And they're actually working towards that. But I don't know how effective that'll be. Or will they actually be able to get stuff done? But the good news is they've already started talking. And including not only the browsers, but some of the big websites, right? Especially your Google, Twitter, and bunch of them also understand that how security is like a prerequisite for them providing their services well, right? Which is why Facebook has started turning on HTTPS for bunch of countries based on what happened in Tunisia. Sir, as you're talking about the SSL certificate, so if I'm running one website, and I'm using the self-signed certificate using the open SSL. So as I know, nothing is different between the already authorized CA certificate and self-signed certificate. Instead of just we are trusting on some CA. But internally, both are showing the same thing. If using that, the self-signed certificate, as some of browser don't have the root CA and CA, all those certificate. So anyway, some site is still offered. You have to anyway proceed to this site. You have to add to exception. So if I'm using on my site that certificate, self-signed certificate, and I'm giving that self-signed certificate. So anyway, user can proceed that certificate also. In that way, we can attack using the duplicate certificate on some site. So the attack can happen. On SSL attack can happen. It can happen. But again, if your users are well informed, they understand what your certificate looks like. Some authorized, that means already CA's provided certificate. Also, you have to anyway some, like in India. India having the seven or six CA's. From the, I think in IE or Mozilla and Chrome, anyone don't have it. None of them have it. Yeah. So you have to, Indian guy have to anyway add the exception in browser. So if I'm providing that open SSL certificate, in that case, you also have to add that certificate. So you don't know, I mean, you are adding that open SSL certificate or that CA certificate. So how can you prevent from this kind of attack on SSL? You can't. In any which way, you'll have to either give the key of the SSL certificate and the person can verify manually before they add it. But you can't prevent the attack if someone is hell bent on adding a certificate. In that case, sir, if I'm using the EV certificate, EV SSL, in that case, as the EV, I think, as I know, only they are going for manually verification of the servers and whatever the certificate is there. So in EV certificate, we can, somewhat we can provide the solution for SSL. No, I don't think your browser will accept a self-signed certificate as an extended validation. I don't think that's possible. But I'm not sure. I'll check up on that. I will let you know. Just meet me outside. But I don't think the browser will accept it. Akash? Akash? Yeah. So I just want to contribute to the discussion. But I think design teams and security teams are completely disconnected. I don't know of any design team that has security as an end goal. So I think the point you're trying to get at was really that designers should get involved with this discussion of how to secure things to maybe solve some of these problems. Because right now, we're just completely disconnected people. Because if they did talk a lot more. Maybe we could solve some of this, right? It wouldn't be so bad. Thank you, guys. Thank you so much. We'll have a quick break. Since we've gone a little bit beyond, let's take.